Authentication of users is important to maintain data security and access control. In some cases, important files can be securely stored upon a client device, with access to the files being controlled by a management agent. For example, the files can be encrypted such that they can be accessed only through the management agent. Consequently, if the client device is lost or stolen, the files are protected against access by unauthorized users. Typically, a user will provide a username and a password or other security credential to the management agent. The management agent will then contact an authentication server, which determines whether the user is authorized to access the file based upon the username and the password. If the user forgets the password, the user can request a password reset through the server.
In various scenarios, the client device can lack network connectivity to the authentication server. In the scenarios, the management agent can be equipped to authenticate the user in an off-line mode based on his or her username and password. However, if the user forgets his password, no recovery mechanism allows the user to access the secured files while in the off-line mode.
In other scenarios, the files can be of such an importance to an organization that the organization is reluctant to allow the files to be placed on individual client devices for access by the devices' respective users, even if the users are individually authenticated. For example, the authenticated users can use the content of the files toward a malicious end, or the authenticated users can unknowingly use the files in such a manner that the content can be disclosed to unauthorized parties in the vicinity.